The story of Pipedrive started just like the story of StrangeBee and TheHive.
Over 10 years ago, a small group of sales professionals was looking for a CRM (Customer Relationship Management) platform that could do more than what the market could offer. They needed an easy-to-use, effective tool that would centralize all the essential data, helping users visualize the entire sales process and win more deals.
So, they created their own, and this is how Pipedrive was born. Their thoughtfully developed CRM platform eventually hit the spot for fellow salespeople all over the world. Today, more than 100,000 companies worldwide use it, and the Pipedrive team consists of 850+ people across 8 countries.
The company’s cybersecurity team is extremely committed to safeguarding such an extensive global infrastructure and its sensitive data. For this, they need reliable, efficient and versatile tools.
This success story is about how TheHive became one of the core elements of the team’s workflows as a highly customizable and flexible ticketing and case management system.
How Pipedrive uses TheHive in their cybersecurity workflows (see further)
Why Pipedrive’s cybersecurity team chose TheHive
Before fully committing to TheHive, the cybersecurity team at Pipedrive evaluated several alternatives, including traditional ticketing systems (like Jira and Confluence), as well as other security-focused platforms.
The majority of the solutions we considered lacked flexibility and integration capabilities. TheHive allows us to ingest alerts and customize responses according to our IR playbooks. It supports seamless integration to build our automations.
Andrew Karell,
Lead Security Engineer
Eventually, TheHive became the perfect choice. From early open-source versions (starting with v3 and v4) to the latest v5, it has been a key part of the team’s workflow.
The improvements in version 5 of TheHive made it even more appealing. It offered greater flexibility to tailor workflows that align with our real-life processes, making it intuitive to work with. Also, both our analysts and management appreciate the ability to create dashboards and track security cases in a structured way.
Joanna Raave,
Security Analyst
TheHive in the cybersecurity team’s workflow
TheHive is tightly integrated with the team’s custom-built security orchestration, automation and response (SOAR) platform.
The SOAR platform ingests alerts from multiple sources and connects to Pipedrive’s 3rd-party tools. The team built it to seamlessly integrate their alerting systems, automate most of their responses via playbooks and ultimately manage investigations (alerts, cases and incidents) from “Create” to “Close” much more effectively and efficiently.
Among other things, the custom SOAR allows the team to identify new alerts, prioritize and escalate cases and generate analytics.
Working in close bond with the SOAR platform, TheHive is a critical element of the team’s alert and case management workflow.
Its integration capabilities and the ability to centralize and organize data from different tools in a user-friendly and actionable way has helped us spend significantly less time on routine tasks and focus on what’s really important.
Andrew Karell,
Lead Security Engineer
Here’s how the team uses the platform:
API-powered integration and automation
The team relies heavily on TheHive’s API, using around 20 different endpoints for actions like:
- Creating and promoting alerts to cases
- Analyzing observables to gather threat intelligence
- Adding attachments, like screenshots as evidence
- Retrieving information using search features
The API allows them to integrate TheHive with the custom SOAR system, Slack and other security tools. The automated data ingestion and tool collaboration reduces manual work and makes their workflow more efficient.
Advanced case management & security ticketing
TheHive serves as the team’s internal ticketing system for tracking security incidents. It is more security-focused and flexible compared to other ticketing systems. It provides a clear, structured and user-friendly way to manage alerts and cases.
The analysts use TheHive to close alerts, attach files and document security cases. It also acts as a historical database for incidents and security-related actions.
The improved search functionality in version 5 of TheHive allows the team to find relevant alerts and cases much more easily. Quick access to past cases helps resolve incidents faster and more efficiently.
The team also uses TheHive to generate dashboards. They display metrics and trends, reducing the need for manual reporting, and provide security insights for management: they can track security operations without needing direct access to alerts and cases.
The dashboards also help management to have a better, clearer vision of the trends in seconds, thanks to the visual representation of the data.
Bulk false-positive alert closure
TheHive allows the team to close multiple false-positive alerts at once by marking them as false positives and adding a single summary.
Previously, analysts had to close each false positive manually, one by one, which was tedious and time-consuming. This feature saves a lot of effort.
Joanna Raave,
Security Analyst
The team uses custom fields to categorize cases (e.g., policy violation, phishing, malware). Tags, on the other hand, help them differentiate between cases and incidents, something they found challenging before.
The analysts use Slack to create cases, close alerts and trigger investigations with the push of a button. Slack acts as an alternative way to interact with TheHive, even from their phones.
This integration allows quick response times without needing direct access to TheHive’s UI.
Alert processing workflow
SOAR receives alerts from multiple sources. One source is Wazuh; it generates alerts based on defined rules. SOAR then filters these alerts before forwarding them to TheHive.
Once an alert enters TheHive, it triggers Slack notifications for the team and, for high-severity alerts, an automated phone call to the on-call person.
This ensures that only actionable alerts reach TheHive, reducing unnecessary noise and improving response efficiency. Overall, the team gets 80-100 alerts per week.
TheHive in Pipedrive's real-time response workflow
The team has developed a highly responsive, time-saving workflow by integrating TheHive, Slack and their custom-built SOAR platform. Analysts can take action directly from Slack using convenient buttons that trigger TheHive’s API—allowing them to create cases, close alerts or run responders without switching tools.
These custom responders run pre-defined actions according to the team’s playbooks, perfectly tailored to Pipedrive’s context. Analysts can initiate actions like opening a new case when an alert is received, closing a false positive or logging incident actions to the incident timeline.
This versatile setup allows for fast incident handling, even from a mobile phone.
To differentiate between cases and incidents, the team relies on TheHive’s tags and custom fields to categorize events accordingly.
Why TheHive remains essential to Pipedrive’s security operations
TheHive has become an essential tool in security operations at Pipedrive.
Its functional flexibility, combined with strong API capabilities, has allowed us to improve our security workflows and overall efficiency.
Hendrik Heinsoo,
Head of Cybersecurity Team
As the cybersecurity team continues to evolve, TheHive will remain a key part of its infrastructure as a ticketing and case management system. The team will continue to use and refine their existing workflows featuring the platform, and there are plans to automate more processes to allow the analysts to focus on higher-value tasks.
Request a free demo of TheHive
Let us show you how our platform can empower your security operations!
